Slashdot Mirror

← Back to Stories (view on slashdot.org)

TimeWarner DNS Hijacking

Posted by kdawson on from the can-you-spell-ham-handed dept.

Exstatica writes "It looks like TimeWarner is taking vigilante action on the botnet problem. They've hijacked DNS for a few IRC servers, the latest being irc.mzima.net and irc.nac.net — both part of EFNet. (irc.vel.net was hijacked earlier but has been restored.) Using ns1.sd.cox.net, the lookup returns an IP for what looks to be a script that forces the user into a channel and issues a set of commands to clean the drones. There have been different reports of other IRC networks being hijacked and other DNS servers involved. Is this the right way to handle the botnet problem? Is hijacking DNS legal?" Botnets are starting to move off of IRC for command and control, anyway.
Update: 07/24 00:01 GMT by KD : Updated and added more links; thanks to Drew Matthews at vel.net. 07/24 11:52 GMT by KD : Daniel Haskell wrote in to say that ircd.nac.net is seeing cox.net connections again, and that they are in discussion with the EFF over the matter.

10 of 339 comments (clear)

  1. New Update since i submited this yesterday by Exstatica · · Score: 5, Informative

    Since submitting this article yesterday there have been some new developments. There was a large debate on Nanog about what has been happening and eventually was published to wired. The full description of everything that has happened and how it happened can be found on my site at http://www.exstatica.net/hijacked/ as for irc.vel.net we have been returned our dns, but irc.mzima.net appears to still be hijacked.

    1. Re:New Update since i submited this yesterday by Skrynesaver · · Score: 5, Funny
      Realistically anyone attempting to prosecute Cox for exploiting a backdoor in a botnet is going to have a hard time keeping their client out of jail.

      I look forward to Cox meeting their lawyers.
      Evil_lawyer_dude: You have exploited a vulnerability in my clients software
      Cox Communications: Ooops, so we have, would you care to name your client
      Evil_lawter_dude: I don't have to
      Cox Communications: Well, without evidence of harm done to your client we can't be held liable for anything
      Evil_lawyer_dude: My client has been unable to carry on his business using the resources of your customers
      Cox Communications: Yes, and we have a list of customers who would be part of a counter suit, no go away or we will taunt you some more.

      --
      "Linux is for noobs"-The new MS fud strategy
  2. This is a DNS hijacking. by woodchip · · Score: 5, Funny

    OK DNS Server resolve me to .cu and no body gets hurt.

  3. The criminal code calls it "Theft of Services" by cenonce · · Score: 5, Interesting

    In Pennsylvania, it sounds like it might fall under Theft of, or Diversion of Services.

  4. The Right Way? by Kozar_The_Malignant · · Score: 5, Funny

    >Is this the right way to handle the botnet problem?

    No. The right way involves castration with rusty linoleum knives, Turkish prisons, and rabid wolverines. If that doesn't work, we should quit being nice and get nasty with these folks. Seriously, this problem will not go away until people start doing some hard time, preferably with a cell mate who does not need Erct|le Member Help!

    --
    Some mornings it's hardly worth chewing through the restraints to get out of bed.
  5. This will NOT raise awareness or work in any way. by twitter · · Score: 5, Interesting

    Wired found someone who approves of breaking the internet:

    Frankly, redirecting requests to malware sites, or IRC communication channels, to cleaner-sites sounds like a practical short term tactic to me. And if it raises awareness around the seriousness of the bot problem I'm all for it.

    Right, because the kind of people who might actually use IRC know nothing about botnets and the kind of Windoze users who are part of the botnet care about IRC. This is just another attack on the free software community as outlined in the Haloween Documents.

    Once again, the ISP has punished the good guys for problems crated by the bad guys. The root cause of the botnet is Windoze. Fixing it and raising awareness is as simple as cutting the problem computers off your network and telling their owners why. This is as it should be and pretending otherwise props up third rate software and threatens the stability of the net.

    --

    Friends don't help friends install M$ junk.

  6. Re:This will NOT raise awareness or work in any wa by thegrassyknowl · · Score: 5, Insightful

    Once again, the ISP has punished the good guys for problems crated by the bad guys. The root cause of the botnet is Windoze. Fixing it and raising awareness is as simple as cutting the problem computers off your network and telling their owners why. This is as it should be and pretending otherwise props up third rate software and threatens the stability of the net.

    I wish I hadn't run out of mod points; this is gold.

    That's a pretty cut and dried way of reducing the number of bots. Cutting the user off forces them to understand what is wrong and why they're cut off. If you just give them information most will just click past it and continue on their merry way. Users don't want information. They want the pr0nz as quick as possible. Didn't you know that?

    I can think of one case where a (now ex) friend of mine would email To: every single person in her work address book with SPAM for her work. I started out telling her to use the Bcc: field at least and pointed her to a web page describing why you'd want to do that. she replied "I don't want to read all that technical garbage" then carried on the same. Then I asked her to remove me from her list. She replied "I am going to send you this stuff because I know you want it" (it really was SPAM for her work, it wasn't even jokes or chain mail). There ended our friendship as I reported them to their ISP. They were warned by their ISP and still continued doing what they did. They lost hosting pretty quick after that.

    People don't want to learn. They are, by and large, idiots. Heavy handed measures are the only way to force them to realise that fact.

    --
    I drink to make other people interesting!
  7. What??? by bogie · · Score: 5, Interesting

    You mean you actually talked to someone in tech support who not only knew what a packet was but also looked up what was happening on their end at a technical level? How many drones did you have to speak to telling you to A)reboot or B)reinstall your machine? Did you use chicken blood or ox blood to perform this magic?

    --
    If you wanna get rich, you know that payback is a bitch
  8. No, probably not by Sycraft-fu · · Score: 5, Interesting

    Since it sounds like they were doing it with their DNS servers. While it would be illegal for me to break in to your DNS server and modify it, it is not illegal for me to modify my DNS server, even if you use it. If you dislike it, you can use another service, but unless I have a contract with you there's nothing wrong with it (legally). You can argue it is a bad idea, but changing their equipment on their network is well within their rights.

  9. Re:Alternative DNS? by dissy · · Score: 5, Insightful

    I thought OpenDNS was the greatest thing, until I noticed if you type in a URL that isn't valid it doesn't deliver the standard "non-existent domain" return, but instead gives you an OpenDNS search results page. Bleh. I'll stick with running Bind on my own server, thank you. Actually, if you signup for a free account, and add your IP(s) in their dashboard webapp, you can configure all sorts of things, including to return NXDOMAIN on resolution failure.

    I too agree that breaking NXDOMAIN is a bad thing, but OpenDNS at least does let you change this yourself. It just has the wrong default, so to speak.

    I strongly urge you to signup for a free account, and look over their settings available, before you judge.

    -- Jon